Detectionmediumexperimental

AWS EnableRegion Command Monitoring

Detects the use of the EnableRegion command in AWS CloudTrail logs. While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately. There may be situations where security monitoring does not cover some new AWS regions. Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ivan Saakov, Sergey ZelenskiyCreated Sun Oct 19a5ffb6ea-c784-4e01-b30a-deb6e58ca2abcloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventName: 'EnableRegion'
        eventSource: 'account.amazonaws.com'
    condition: selection

False Positives

Legitimate use of the EnableRegion command by authorized administrators.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence

Rule Metadata

Rule ID

a5ffb6ea-c784-4e01-b30a-deb6e58ca2ab

Status

experimental

Level

medium

Type

Detection

Created

Sun Oct 19

Author

Ivan Saakov, Sergey Zelenskiy

Path

rules/cloud/aws/cloudtrail/aws_cloudtrail_region_enabled.yml

Raw Tags

attack.persistence

View on GitHub